Microsoft 365 security advantages over traditional infrastructure

Microsoft 365 security advantages over traditional infrastructure

 

Microsoft 365 Provides some additional security advantages over traditional infrastructure. Eliminating costly infrastructure that previously required, eliminating advanced IT knowledge that used to be required, as well as services such as 100 GB mailboxes (based on packages), online meetings, document collaboration, 99.9% uptime, and enhanced flexibility. With a bundle of. The cloud platform allows businesses to access email, documents, contacts, and calendars on a cross-platform architecture to provide users with services they need only at any time.

For a lot of companies, Microsoft 365 solves the problem of costly infrastructure, or complex exchange deployments and not investing in HA / DR because currently IT departments are in the cloud free of all the hassles.

From a flexibility point of view, M365 provides the following functions in terms of access anytime and anywhere.

Microsoft 365 can be accessed through Internet access from any part of the world, not just in the office.

Microsoft 365 can be accessed from any device - not just corporate-owned devices, but from any device (from any device with a personal Windows / Mac laptop, tablet, phone, browser, or Outlook client installed).

Microsoft 365 can only be accessed by username and password.

On the organizational approach to data loss prevention, it causes the following issues:

Email can be offline and copied to a home PC using Outlook or any other compatible desktop client.

Mail can be downloaded to mobile devices and copied to other locations.

We all know that cloud storage service OneDrive for Business can be copied / shared offline and all data for any compatible device in our home or any other location.

SharePoint Online can be synced offline on any compatible device such as home PC / laptop etc. and all data can be copied / shared elsewhere.

By default the multi-factor authentication method is not turned on, requiring only a username and password to login.

The first solution to these complexities with on-premises environments was the use of VPNs. VPNs are used to control who cannot connect to data on-premises. But, when we start transferring data / resources to the cloud, we need to implement various solutions to control access to our data.

To increase access control security, Microsoft introduced conditional access to resolve this issue. Conditional access allows administrators to control what Microsoft 365 application users can receive based on validation of certain conditions.

These conditions are enforced by creating a policy (or several policies) to grant users with access to Microsoft 365 resources.

 

To start with, you have to first login to the Microsoft Admin Console (www.admin.microsoft.com) using your Global Admin credentials and open the Azure Portal.

                            

 

Now, in the Azure AD portal, select All Services > All > Azure AD Conditional Access.

The first thing you need to create is a trusted network location and then set the policy, based on which conditional access will work.

                              

The following are the overview of the conditions that can be controlled by the policy:

• Users/Groups – Which users do you want to control – Users can be included/excluded from the policy as per the requirement. 

• Cloud Apps – Which apps do you want to control and provide selective access? Conditional Access does not need to be applied to the whole Microsoft 365 package, One has the option to be more granular and just control access to specific apps – E.g. Exchange Online.

 

• Client App – One can control what app/software the user is connecting from to the data – E.g. allow browsers by disabling the mobile and desktop Outlook apps.

• Device Platform – One can control what devices users can connect from – E.g. allow Windows and iOS but block Android phones.

• Location – One can control what IPs or a range of IPs that can connect with Microsoft 365 – E.g. could limit this to the office public IP which is static in nature.

• Sign In Risk – Control signs in if Office 365/Azure thinks the sign in is not coming from an authenticated user – E.g. if someone signs in from London followed New York 30 mins later.

Based on the above conditions, usage may be permitted for Microsoft 365 services with the following conditions:

Multi-factor authentication is required - a user is allowed to log in but it is mandatory to complete additional security checks before logging in, e.g. Phone call, Text message, mobile app

Devices need to be marked as compliant - the device used to login must be an internal component, such as. The device must match Intun compliance policies to be able to connect.

Need to join domain (Hybrid Azure ED) - Must be a Hybrid Azure AD of devices - EEG. Mobile devices Azure AD registered and domain linked machines are scheduled to be automatically registered to their Azure AD.

Required Application Required - You can select Requirement to allow only and only access if a connection establishment was attempted by an approved client application. These applications support mobile application management (MAM) policies, so administrators can circumvent security around these applications (for example stop copying and pasting information from these applications).

Now that we have a complete overview of the conditional access control policy module, we now move to IP based conditional access.

1. Create a trusted location based on IP. Please note that it is always recommended that you use it if and only if you have static IPs.

 

2. Enter the IP details as follows. (Format: IPv4 Address/27 [1.2.3.4/27]).

3. After saving the IP, we need to set up the policy. In the very beginning Assign a policy name.

4. Select the users whom we need to block from logging in from different IP addresses.

5. Now choose the application or Cloud App that you want to block for that user or the group of users.

6. Now set the condition for the access. In your case of IP restriction, Select the IP that was earlier created in step 1 under Named Locations. You can see from the screenshot below that any Named locations you defined will appear in the list and you can select one or more of them for each of your policies, either as an included or excluded location. You can still create a policy that does not depend on the network location.

7. Now it's time to Grant the access based on the IP. You can either completely block the access to the user or a group of users or you can manually set some access verification conditions.

8. Now, set the Execution Policy to ON and save the policy.

After setting up the policy, when the particular user tries to log in from any other IP address except the mentioned one in the policy, the user will be restricted from having access. Please refer to the screenshot below.

Conditional access will not work in the following situations:

Client apps - not all clients support conditional access - client apps need to support modern authentication features. Such as Outlook 2016 or Outlook 2013 (with a reg key change).

Any custom-developed application without Microsoft's modern authentication features will support conditional access.

Outlook 2010 will not work with conditional access and the user will be allowed to connect; ADFS claims rules are required to close Outlook 2010 based on IP range.

Please note: Before applying for conditional access, note that users with administrative rights are excluded from the policy assignment list. If a feature goes wrong, you may lose access to all services.

Conditional access not only enhances your company's grip on confidential data, but also reduces security bleach changes in many ways from internal and external threats.

 😀😃Thank you for reading our blogs, please do like, share and share your thoughts in the comment section.